Online gambling company Betfair was the victim of cyber attacks that attempted to gain access to customers' sensitive details, including security verification answers and credit card numbers.
The attack took place 18 months ago, in March 2010, Betfair confirmed on Friday. The company did not inform customers at the time.
"18 months ago we were subject to an attempted data theft. Because of our security measures the data was unusable for fraudulent activity and we were able to recover the data intact," the company said in a statement on Friday.
It added that it spoke to the "relevant authorities" at the time and "it was established that there was no risk to customers".
However, according to a report in The Telegraph on Friday, the attackers did in fact manage to steal millions of users' sensitive details including 2.28 million encrypted payment card account numbers and details, 3.16 million account user names with encrypted security questions and 89,744 account user names with bank account details.
According to The Telegraph, a report on the breach dated 27 September, 2010 was marked "Betfair Critical Confidential" and confirmed that "the attacker did indeed manage to copy the entire Sportex database", it said.
ZDNet UK contacted Betfair to verify the claims but the company declined to comment beyond its original statement.
A separate report on the theft carried out by security consultancy Information Risk Management (IRM) concluded that "appropriate technical controls relating to such elements as network segregation and file integrity monitoring that would provide Betfair the ability to deter, prevent and detect such an incident are not in place", The Telegraph said.
In an "Incident Report to Regulators" from July, the company said it chose not to inform customers on the basis that the Serious Organised Crime Agency (Soca) advised that releasing information may be detrimental to an investigation, the report said.
Betfair said it has "implemented all of the recommendations from the independent reports we commissioned and have done everything we can to minimise the risk of this happening again".